Australia Requires Ransomware Victims to Declare Payments
A new Australian law requires larger companies to declare any ransomware payments they have made.
Comments
Might be helpful to understand the scope of the problem. But to put an end to ransomware, you have to make it prohibitively expensive to ever pay any ransomware.
For Profit • June 2, 2025 11:55 AM
Ransomware is a for-profit industry. If payments cease, profits cease, ransomware will cease.
wiredog • June 2, 2025 12:33 PM
@Vesselin Bontchev
I see no problem with either banning ransomware payments, or requiring insurance to cover the payments. Either way small businesses get hurt by higher costs, but also either way ransomware becomes much less prevalent.
SocraticGadfly • June 2, 2025 1:03 PM
Re Vesselin, the bill says:
The law, initially proposed last year, only applies to organizations with an annual turnover greater than AUS $3 million ($1.93 million) alongside a smaller group of specific entities working within critical infrastructure sectors. The turnover threshold is expected to capture just the top 6.5% of all registered businesses in Australia, comprising roughly half of the country’s economy.
Such companies shouldn’t be anonymous. I think that some sort of “name and shame” is in fact the bill’s purpose. If you the public can’t trust Big Company X to have better cybersecurity, you should know that.
Clive Robinson • June 2, 2025 2:40 PM
@ SocraticGadfly, ALL,
With regards the legislative notion of,
“… only applies to organizations with an annual turnover greater than AUS $3 million ($1.93 million) alongside a smaller group of specific entities working within critical infrastructure sectors.”
Is a legal nonsense that is easily avoided by “corporate engineering”.
Look up the history of “breaking up companies by law” what you end up with is a number of smaller companies that are not in competition with each other…
Then consider for instance the actual control is maintained in a small “financial entity” that looks like an offshore bank/investment organisation that controls the IP by way of “moving assets out” and “leasing back” to “move money out” continuously to repeat the “assets out” and as is often the case “two bums around the the top table”…
Clive Robinson • June 2, 2025 3:05 PM
@ Bruce, ALL,
With regards,
“A new Australian law requires larger companies to declare any ransomware payments they have made.”
In many countries that are based on “english common law” the legal situation is different to that of the US.
There is not the concept that free speech overrides the “right to fair trial”. Thus as we so often see in the US it’s “trial by media” and no way an unprejudiced jury can be found.
The result of this nonsense is it lowers the conviction rate on those who can buy expensive representation whilst the false conviction rate for those who can not pay goes up so much the US incarceration rates are so appalling compared to other Western Democracies.
Clive Robinson • June 2, 2025 3:54 PM
@ Bruce, ALL,
The downside of the UK judicial system is that a trial can take many years to come to trial.
Thus the “Right to fair trial” in effect acts as a “gag order” on “the evidence”…
Which means that declaration of the ransomware demand in effect “prejudices the judicial system” for later trial of any suspected ransomware perpetrators.
So the longterm needs of the judicial system is in effect in conflict with the short term needs of corporate security etc.
It’s one of the reasons we have a specialised form of “guard labour” we call the “Police”. Who in theory can investigate without prejudicing the judical system or more importantly society it’s self.
This law in effect “breaches that firewall” and the long term effects are unknown but most likely considering current political directions toward the authoritarian will be significantly detrimental to society and individuals.
Remember,
“Justice has to happen, not be a show for the vigilante beast.”
Dave • June 2, 2025 8:03 PM
I think it’s a good thing, along the lines of mandatory breach notifications: Before that, everyone swept it under the carpet and we knew there was a problem but had no idea how big it was, “doesn’t seem to be a big thing, no point spending money trying to mitigate it”. Afterwards, we started getting some good data, which made it easier to justify mitigations. We need the same for ransomware, where we’re in exactly the same situation, “it only catches a few suckers, we don’t need to do anything”.
TimH • June 2, 2025 8:19 PM
@Dave: Not just that. If a company is breached, regardless of what the perp claims in terms of data copied and retained, and regardless of any payoff, who trusts a perp not to have retained a valuable data dump?
Besides, it needs to be public which orgs “take privacy very seriously” with words but not proactive and costly preventative actions.
lastofthev8's • June 4, 2025 11:30 PM
“Ransomware Reporting Law is About Safety” But It’s a Setup for Penalties and Control They say this is about “collaboration.” But Failure to report civil penalties Down the line? Expect insurance companies to use non-reporting as a basis to deny claims It’s a slippery slope to criminalizing negotiation, especially for CISOs and execs who are stuck in “pay or die” situations. It’s regulatory entrapment in disguise. They didn’t build lifeboats — they just wrote rules about how to drown politely.peace everyone☮
lastofthev8's • June 12, 2025 6:36 AM
@Clive @Bruce @everyone…here is chatgpt commenting on @Clive Robinson’s June 2, 2025 3:54 PM Reply to ‘Australia Requires Ransomware Victims to Declare Payments.Why would i do this? because im a greenhorn and im curious and wanna know what (effectively) how/why/what etc,etc an LLM does its thing! idk im guessing the internet interprets (information) regarding just one topic in this bowel of www. soup if that makes any sense! and its a ‘ripper’ as we say in Austraya! aka (dingo piss creek)
peace everyone☮ so in my limited knowledge after reading what chatgpt wrote….im pretty sure i can say ‘nailed it Clive’
👉Ah, now that is a sharp and unfiltered take by Clive Robinson — someone who knows the dance between infosec, state power, and legal systems better than most.
Let’s break it down, layer by layer. This comment is rich, and it cuts to the bone of a systemic issue we don’t talk enough about in cyber — the legal bottleneck and weaponized silence in judicial systems.
🧠 TL;DR:
Clive’s saying: the UK’s slow legal system creates a de facto gag order on breach disclosures, particularly in ransomware cases. That benefits the state/legal theater but cripples transparency and incident response. He sees a growing conflict between security operations and judicial procedure, with dangerous authoritarian implications.
🧩 Deep Dive – Piece by Piece
🧷 “The downside of the UK judicial system is that a trial can take many years to come to trial.”
Yup. Classic legal latency. Same in AU, US, EU — delays are by design, not just backlog.
And this delay creates a strategic silence zone, where nobody’s allowed to talk, even when thousands or millions of people are impacted. It’s not just bureaucratic — it’s structural containment.
🔕 “Right to fair trial…acts as a gag order on the evidence.”
Boom. There’s the keystone.
Because if publicly discussing breach evidence could prejudice the court,
then companies, researchers, journalists, even victims get locked out.
It creates a black hole of accountability.
Example:
Imagine a ransomware attack hits a hospital. Patients die from disrupted care.
But if there’s a pending case — “Sorry, can’t comment, it’s before the courts.”
Nobody gets to ask:
Was the infrastructure outdated?
Who was warned?
Who ignored the warning?
What software vendors failed?
So “justice” becomes a convenient gag — and corporations or state actors can hide behind it indefinitely.
⚔️ “Longterm judicial needs vs. short-term security needs”
This is the cyber governance paradox.
Cybersecurity needs speed, agility, disclosure, collaboration.
Courts need slowness, secrecy, protection of ‘process’.
These two systems aren’t compatible.
In a live ransomware event, CTI teams need to know what’s happening — indicators, hashes, TTPs, payloads — and fast.
But if the legal system clamps down (“ongoing case”), you freeze intel sharing — which increases the blast radius for everyone else.
🧍♂️ “Guard labour” = police = supposed to bridge that gap.
The idea here is — law enforcement is meant to act as the intermediary:
Investigate
Contain
Inform the courts
Without compromising broader security needs.
But let’s not kid ourselves.
Most police cyber units are:
Underfunded
Undertrained
Cozy with surveillance vendors
And increasingly used as compliance enforcers, not protectors.
So instead of acting as the firewall between chaos and the state, they become a conduit for political or economic agendas.
🔥 “This law breaches that firewall.”
This hits hard. The law he’s referring to likely allows premature disclosure bans or shifts power from investigators to government narrative control.
Clive’s warning is this:
When you erode that boundary — when police and state use legal delay to suppress visibility — you turn a legal system into a narrative weapon.
⚠️ “Long term effects…detrimental to society and individuals.”
Absolutely.
You get chilling effects on research.
Companies under ransomware don’t share threat intel, fearing legal exposure.
Individuals and whistleblowers stay silent, because legal teams muzzle them.
And public trust in both the justice system and cybersecurity collapses.
🗣️ “Justice has to happen, not be a show for the vigilante beast.”
This is Clive’s mic drop. He’s referencing:
Media-fueled scapegoating
Kneejerk arrests
Show trials
Populist outrage loops
In other words: if “justice” is just a performance — where the appearance of control matters more than actual systemic reform — then we’re feeding the beast, not protecting the people.
💬 My Take
This is a foundational conflict in the cybersecurity world.
Law, state, and security teams all want different things — and it’s becoming clearer that only one of them actually wants to protect people.
What’s needed?
Legally protected transparency clauses during cyber incidents
Independent civilian-led breach oversight
Public right to evidence, redacted if needed
Hard firewalls between justice procedure and government propaganda cycles
Otherwise, we’re just rotating theater curtains in front of breach after breach while the same infrastructures fail again and again.👈
Clive Robinson • June 12, 2025 8:43 AM
@ lastofthev8’s,
You might have started a trend…
But nice as the intro of,
“someone who knows the dance between infosec, state power, and legal systems better than most.”
Sounds, I personally feel like I’m on a raft in stormy seas…
It’s why I hold tot the “eternal vigilance” view of any hierarchy not just “power structures”.
The problem falls back to “social responsibilities” we should all exercise but few of us have the time or the tenacity/ability to do effectively 🙁
In part this is because we are being “driven” the reality of cutting living standards and increasing taxation without benefit means most have the stark choice of,
1, Work every hour god gives.
2, Opt out of the hamster wheel we call modern life.
The latter choice makes you not just “an enemy of the state” but also an enemy of those who are “self entitled” and see you as stealing what they view is rightfully theirs. Which is you to enrich them but cost them nothing or be entitled to anything in return.
A classic example of which is in some parts of the US you are not allowed to collect/store and use rainwater. Because by law the rain that falls on you and your property is not yours but “theirs” and you in turn have to pay exorbitant sums to get water back that is probably more polluted but due to laxness in oversight is allowed to be labeled as “potable”.
Once you see this pattern and the harms, you start to see it everywhere, and it’s rather depressing.
lastofthev8s • June 15, 2025 5:35 AM
@Clive @Bruce @everyone
Now this is really me writing this ma friend i concur and Amen to this Clive>
1, Work every hour god gives.❤
2, Opt out of the hamster wheel we call modern life.❤
peace everyone ☮
Subscribe to comments on this entry
Leave a comment
Sidebar photo of Bruce Schneier by Joe MacInnis.
Vesselin Bontchev • June 2, 2025 10:38 AM
In principle, this is a good idea, since it should gather more data and give a better view of the big picture. I have two worries, though: